Further targeted ransomware attacks on the UK education sector by cyber criminals - Alert
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Further targeted ransomware attacks on the UK education sector by cyber criminals Alert Version 2.0 What’s new? Updated with new information on 19 March 2021 March 2021 activity © Crown Copyright 2021
Alert: Further targeted ransomware
attacks on the UK education sector
by cyber criminals
Updated information for the education sector
Update March 2021
The NCSC is responding to further targeted ransomware attacks on
the education sector by cyber criminals.
Since late February 2021, an increased
number of ransomware attacks have
affected education establishments in
the UK, including schools, colleges
and universities.
The NCSC previously acknowledged an
The NCSC has produced a
increase in ransomware attacks on the UK number of practical resources
education sector during August and to help schools and other
September 2020. The NCSC has educational institutions
therefore updated this Alert in line with the
latest activity.
improve their cyber security.
The NCSC urges all organisations to
follow our guidance on ‘Mitigating
malware and ransomware.’ This details
a number of steps organisations can take
to disrupt ransomware attack vectors and
enable effective recovery from
ransomware attacks.Introduction
The NCSC continues to respond to an
increased number of ransomware attacks It is also important that senior leaders
affecting education establishments in the understand the nature of the threat and
UK, including schools, colleges, and the potential for ransomware to cause
universities. considerable damage to their institutions
in terms of lost data and access to critical
This report details recent trends observed services
in ransomware attacks on the UK
education sector. This encompasses Due to the prevalence of these attacks,
trends observed during August and you should be sure to follow NCSC’s
September 2020, as well as the more mitigating malware and ransomware
recent attacks since February 2021. It guidance. This will help you put in place a
also provides mitigation advice to help strategy to defend against ransomware
protect this sector from attack. attacks, as well as planning and
rehearsing ransomware scenarios, in the
This alert is designed to be read by those event that your defences are breached.
responsible for IT and Data Protection at
education establishments within the UK.
Where these services are outsourced, you
should discuss this Alert with your IT
providers.Ransomware
Ransomware is a type of malware that prevents you from accessing your systems or the
data held on them. Typically, the data is encrypted, but it may also be deleted or stolen, or
the computer itself may be made inaccessible.
Following the initial attack, those responsible will usually send a ransom note demanding
payment to recover the data. They will typically use an anonymous email address (for
example ProtonMail) to make contact and will request payment in the form of a crypto
currency.
More recently, there has been a trend towards cyber criminals also threatening to release
sensitive data stolen from the network during the attack, if the ransom is not paid. There are
many high-profile cases where the cyber criminals have followed through with their threats
by releasing sensitive data to the public, often via “name and shame” websites on the
darknet.
“In recent incidents affecting the education sector, ransomware
has led to the loss of student coursework, school financial records,
as well as data relating to COVID-19 testing.”
Impact
Ransomware attacks can have a devastating impact on organisations, with victims
requiring a significant amount of recovery time to reinstate critical services. These
events can also be high profile in nature, with wide public and media interest.
In recent incidents affecting the education sector, ransomware has led to the loss of student
coursework, school financial records, as well as data relating to COVID-19 testing.
It is therefore vital that organisations have up-to-date and
tested online backups.
For further information see the NCSC’s Offline backups in an online world blog as well as
the NCSC’s guidance on backing up your data)Common ransomware infection vectors
Ransomware attackers can gain access to force attacks because of ineffective
a victim’s network through a number of password policies. Compromised
infection vectors. Indeed, it can be hard to credentials and remote access are
predict how a compromise will begin, as frequently sold by cyber criminals on
cyber criminals adjust their attack strategy criminal marketplaces and forums on the
depending on the vulnerabilities they dark web.
identify. However, in recent incidents, the
NCSC has observed the following trends: VPN vulnerabilities: Since 2019, multiple
vulnerabilities have been disclosed in a
Remote access number of VPN appliances (for example
Citrix, Fortinet, Pulse Secure and Palo
Attackers frequently target organisations’ Alto). Ransomware actors exploit these
networks through remote access systems vulnerabilities to gain initial access to
such as remote desktop protocol (RDP) targeted networks.
and virtual private networks (VPN). They
regularly exploit: The shift towards remote learning over the
past year has meant that many
• weak passwords, organisations have rapidly deployed new
• lack of multi-factor authentication networks, including VPNs and related IT
(MFA), infrastructure. Cyber criminals continue to
• unpatched vulnerabilities in take advantage of the vulnerabilities in
remote access systems.
software.
Phishing
Remote Desktop Protocol (RDP)
remains the most common attack vector Phishing emails are frequently used by
used by threat actors to gain access to actors to deploy ransomware. These
networks. RDP is one of the main emails encourage users to open a
protocols used for remote desktop malicious file or click on a malicious link
sessions, enabling employees to access
that hosts the malware.
their office desktop computers or servers
from another device over the internet. Other vulnerable software or hardware
Insecure RDP configurations are
frequently used by ransomware attackers Unpatched or unsecure devices have
to gain initial access to victims’ devices. commonly been used by ransomware
attackers as an easy route into networks.
Often the attacker has previous For example, on 11 March 2021 Microsoft
knowledge of user credentials, through reported that cyber criminals have
phishing attacks, from data breaches or exploited vulnerabilities in Microsoft
credential harvesting. User credentials Exchange Servers to install ransomware
have also been discovered through brute on a network.Lateral movement and privilege escalation Having acquired initial access to a network, an attacker will typically seek to navigate around the network, increase their privileges and identify high-value systems, often using additional tooling (such as Mimikatz, PsExec, and Cobalt Strike) to assist with this. They may also attempt to conceal their actions so that any subsequent investigation will be more difficult. Recently we have also observed attackers seeking to: • sabotage backup or auditing devices to make recovery more difficult, • encrypt entire virtual servers, • use scripting environments (e.g. PowerShell) to easily deploy tooling or ransomware.
Mitigation
The NCSC recommends that organisations implement a ‘defence in depth’ strategy to
defend against malware and ransomware attacks. This section lists a number of
important defence practices and techniques.
Your organisation should also have an incident response plan, which includes a
scenario for a ransomware attack, and this should be exercised. Further details can be
found in the NCSC’s recently updated guidance on ‘Mitigating Malware and
Ransomware’.
Disrupting ransomware attack vectors:
• Effective vulnerability management and patching procedures (See Vulnerability
Management).
• Secure RDP services using Multi Factor Authentication.
• Install and enable Antivirus software.
• Implement mechanisms to prevent Phishing attacks.
• Disable or constrain scripting environments and macros.
Enable effective recovery:
• Having up-to-date and tested offline backups. Offline backups are the most
effective way to recover from a ransomware attack (see the NCSC’s Offline
backups in an online world blog).
• Exercise your response to ransomware and other cyber attacks (see the NCSC’s
Exercise in a Box).
The NCSC has produced a number of practical resources to help schools and other
educational institutions improve their cyber security:
• Cyber Security for Schools
• Top Tips for Staff
• 10 steps to cyber securityYou can also read
